clojars

http://clojars.org discussion and “support”, see http://status.clojars.org for status.
danielcompton 2019-06-21T23:24:55.014400Z

That’s really a CircleCI issue mostly I think? Or are you suggesting we make some other type of credentials that can only publish snapshots?

danielcompton 2019-06-21T23:26:44.016800Z

I’d probably lightly discourage publishing untrusted snapshots. Also, what’s to stop the person bumping the version at the same time and publishing a release version?

danielcompton 2019-06-21T23:28:00.018500Z

That would require some kind of snapshot credential. And it would still fundamentally be leakable to third parties if it was exposed to untrusted PRs

danielcompton 2019-06-21T23:29:21.020600Z

I’m not sure if the security problems are resolvable, but feel free to open an issue to discuss it more. But be sure to address how you’d avoid third parties getting the snapshot credentials